aaa authorization commands
Syntax
aaa authorization commands <CONNECTION-TYPE> {none | group <GROUP-LIST>}
no aaa authorization commands <CONNECTION-TYPE>
Description
Defines authorization as being local RBAC (with the name
none
) (the default). Or defines a sequence of remote AAA servers to be accessed for authorization purposes. Each available connection type (channel) can be configured individually as either local (by specifying
none
) or using remote AAA server groups. All server groups named in your command, must exist. This command can be issued multiple times, once for each connection type. Local (specified as
none
) is always available for any connection type not configured for remote AAA authorization.
The
no
form of this command removes for the specified connection type, any defined remote AAA server group authorization sequence. Local RBAC authorization is available for connection types without a configured remote AAA server group list (whether default or for the specific connection type).
Command context
config
Parameters
<CONNECTION-TYPE>
One of these connection types (channels):
default
- Defines a list of authorization server groups to be used for the
default
connection type. This configuration applies to all other connection types (console
,ssh
) that are not explicitly configured with this command. For example, if you do not useaaa authorization commands console...
to define the console authorization list, then this default configuration is used for console.
console
Defines a list of authorization server groups to be used for the
console
connection type.
ssh
Defines a list of authorization server groups to be used for the
ssh
connection type.
none
Selects local RBAC authorization.
group <GROUP-LIST>
Specifies the list of remote AAA server group names. Predefined remote AAA group name
tacacs
is available. User-defined TACACS+ server group names may also be used. The remote AAA server groups are accessed in the order that the group names are listed in this command. Within each group, the servers are accessed in the order in which the servers were added to the group. Server groups are defined using commandaaa server group
and servers are added to a server group with the commandserver
.It is recommended to always include the special name
none
as the last name in the group list. Ifnone
is omitted, and no remote AAA server is reachable, authorization will not be possible.
Authority
Administrators
Usage
TACACS+ server authorization considerationsUse caution when configuring authorization, as it has no fail through. If the switch is not configured properly, the switch might get into an unusable state in which all command execution is prohibited.
Make sure that all listed TACACS+ servers can authorize users for command execution.
Make sure that credential database changes are promptly synchronized across all TACACS+ servers.
Make sure
none
is included as the last name in the group list. Ifnone
is omitted, and no remote AAA server is reachable, authorization will not be possible.Although not recommended, if you choose to omit
none
from the list, and are manipulating configuration files, special caution is necessary. If the source configuration includes TACACS+ authorization and you are copying configuration from an existing switch into the running configuration of a new switch, and you have not yet configured the interface or routing information to reach the AAA server, the switch will enter an unusable state, requiring hard reboot.To avoid getting into this situation that can occur whennone
has been omitted, do either of the following:In the configuration source, delete or comment-out the line configuring remote authorization. Then, after the configuration copy and paste, manually configure authorization.
Move the line configuring the authorization to the end of the source configuration before copying and pasting.
Examples
Defining the default authorization sequence based on a user-defined TACACS+ server group, then the default TACACS+ server group, and finally (as a precaution), local RBAC authorization:
switch(config)# aaa authorization commands default group tg1 tacacs none All commands will fail if none of the servers in the group list are reachable. Continue (y/n)? y switch(config)#
Defining the console authorization sequence based on two user-defined TACACS+ server groups, then the default TACACS+ server group, and finally (as a precaution), local RBAC authorization:
switch(config)# aaa authorization commands console group tg1 tg2 tacacs none All commands will fail if none of the servers in the group list are reachable. Continue (y/n)? y switch(config)#
Setting the authorization for default to local RBAC.
switch(config)# aaa authorization commands default none switch(config)#